Krebs on Security

In-depth security news and investigation

Posts Tagged: DVLabs

2011 has been called the year of the data breach, with hacker groups publishing huge troves of stolen data online almost daily. Now a new site called pwnedlist.com lets users check to see if their email address or username and associated information may have been compromised.

Pwnedlist.com is the creation of Alen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP/TippingPoint. Enter a username or email address into the site’s search box, and it will check to see if the information was found in any of these recent public data dumps.

Puzic said the project stemmed from an effort to harvest mounds of data being leaked or deposited daily to sites like Pastebin and torrent trackers.

“I was trying to harvest as much data as I could, to see how many passwords I could possibly find, and it just happened to be that within two hours, I found about 30,000 usernames and passwords,” Puzic said. “That kind of got me thinking that I could do this every day, and if I could find over one million then maybe I could create a site that would help the everyday user find if they were compromised.”

Pwnedlist.com currently allows users to search through nearly five million emails and usernames that have been dumped online. The site also frequently receives large caches of account data that people directly submit to its database. Puzic said it is growing at a rate of about 40,000 new compromised accounts each week.

Puzic said information contained in these data donations often make it simple to learn which organization lost the information.

“Usually, somewhere in the dump files there’s a readme.txt file or there’s some type of header made by hacker who caused the breach, and there’s an advertisement about who did the hack and which company was compromised,” Puzic said. “Other times it’s really obvious because all of the emails come from the same domain.”

Puzic said Pwnedlist.com doesn’t store the username, email address and password data itself; instead, it records a cryptographic hash of the information and then discards the plaintext data. As a result, a “hit” on any searched email or username only produces a binary “yes” or “no” answer about whether any hashes matching that data were found. It won’t return the associated password, nor does it offer any clues about from where the data was leaked.